Page 29 - GiGW3
P. 29
4. Focus areas
S13. The impact of XSS is moderate for reflected and DOM XSS and severe for stored XSS, with
remote code execution on the victim’s browser, such as stealing credentials, sessions, or delivering
malware to the victim.
S14. While some known vulnerabilities lead to only minor impacts, some of the largest breaches to
date have relied on exploiting known vulnerabilities in components.
S15. Most successful attacks start with vulnerability probing. Allowing such probes to continue can
S1. Malicious users can deface the website.
raise the likelihood of a successful exploit to nearly 100%.
S2. Any harmful actor may get access to confidential information.
S3. The availability of the website/app can be hampered.
S4. The malicious user may change/modify the content on the website.
S5. Security failures typically lead to unauthorised information disclosure, modification, or Lifecycle management 4.4
destruction of all data or performing a business function outside the user's limits.
S6. A file upload flaw allows an attacker to retrieve the password database. Security of web
applications determine the protection needs of data in transit and at rest. Attackers can steal such Maintaining a website/app is just as important properly. This involves updating website/app
information for example, passwords, credit card numbers, health records, personal information and as developing it because a website/app is a content, monitoring performance, ensuring
business secrets require extra protection, mainly if that data falls under privacy laws, Personal data dynamic entity that requires regular updates security, fixing bugs and errors and optimising
protection bill etc. and monitoring to remain relevant, functional the website/app for search engines.
S7. An attacker monitors network traffic (e.g., at an insecure wireless network), downgrades and secure. Without proper maintenance, a Establishing policies and procedures for
connections from HTTPS to HTTP, intercepts requests and steals the user's session cookie. The website/app can become vulnerable to website/app maintenance is important,
attacker then replays this cookie and hijacks the user's (authenticated) session, accessing or security breaches, performance issues and including a change management process,
modifying the user's private data. Instead of the above they could alter all transported data, e.g., the content that is outdated or irrelevant, which backup and disaster recovery plans, security
recipient of a money transfer. can negatively impact the user experience and policies and a content management plan.
S8. Almost any source of data can be an injection vector, environment variables, parameters, drive away potential visitors. Regular Regularly monitoring the website's
external and internal web services and all types of users. Injection flaws occur when an attacker can maintenance can help prevent security performance, user engagement and search
send hostile data to an interpreter. breaches, ensure functionality, keep content engine optimization is crucial to ensure that
S9. Attackers have to gain access to only a few accounts, or just one admin account to up-to-date and optimise the website/app for the website/app is meeting its objectives and
compromise the system. Depending on the domain of the application, this may allow money search engines. Therefore, website/app life to identify areas for improvement.
laundering, social security fraud and identity theft, or disclose legally protected highly sensitive cycle management, including ongoing The risks already identified under ‘Quality’ are
information. maintenance, is crucial for the success and also associated with the non-conformity of the
S10. Security flaws can be used to extract data, execute a remote request from the server, scan longevity of a website. Lifecycle Management guidelines.
internal systems, perform a denial-of-service attack, as well as execute other attacks. The business After launching a website, ongoing
impact depends on the protection needs of all affected applications and data. maintenance is essential to keep the
S11. Attackers acting as users or administrators, or users using privileged functions, can create, website/app up-to-date and functioning
access, update or delete every record.
S12. Security misconfiguration frequently gives attackers unauthorised access to some system
data or functionality. Occasionally, such flaws result in a complete system compromise.
29